Skip to content
/ PrimaryTokenTheft Public

Steal a primary token and spawn cmd.exe using the stolen token

249 stars 52 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

slyd0g/PrimaryTokenTheft

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
README.md
README.md
 
 
example.png
example.png
 
 
main.cpp
main.cpp
 
 

Repository files navigation

PrimaryTokenTheft

Main code taken from @kondecuotas blog.

Steal a primary token and spawn cmd.exe using the stolen token.

  • Added the ability to pass a PID by command-line argument.
  • Automatically enable SeDebugPrivilege.
  • Reduced privileges needed for OpenProcess(), OpenProcessToken() and DuplicateTokenEx() from TOKEN_ALL_ACCESS/PROCESS_ALL_ACCESS to the bare minimum needed for each API call.
  • Will also use ImpersonatedLoggedOnUser() to impersonate the logged-on user in the current thread.

Blogpost

Elevating to SYSTEM

GetSystem

Credit

Main blog and source code: https://ired.team/offensive-security/privilege-escalation/t1134-access-token-manipulation

Elevating to system with Winlogon: https://twitter.com/monoxgas/status/1109892490566336512?s=20

Figured out minimum privileges to call DuplicateTokenEx() with for CreateProcessWithTokenW to work here: https://stackoverflow.com/questions/5447418/why-is-createprocesswithtokenw-failing-with-error-access-denied (MSDN docs are wrong)

MSDN Enabling Privileges: https://docs.microsoft.com/en-us/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--

About

Steal a primary token and spawn cmd.exe using the stolen token

Resources

Readme
Activity

Stars

249 stars

Watchers

10 watching

Forks

52 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages